Re: Uptick in false negatives - filter check?

2013-11-07 Thread Owen Mehegan 
Oh, and I fixed spam4.txt to be accessible, sorry about that. 
-- 
Sent from Kaiten Mail. Please excuse my brevity.



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/Uptick-in-false-negatives-filter-check-tp107090p107097.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Uptick in false negatives - filter check?

2013-11-07 Thread Owen Mehegan 
Thanks for your response! My server is in EC2, and it appears that URIBL 
blanketly refuses requests from there. I set up a caching DNS server locally 
and tried routing my request through that, it was still rejected. Too many 
spammers using EC2 I guess. 

As for your other suggestion, isn't that the point of Bayesian filtering? I 
keep getting similar messages, training my bayes db on them, and then more get 
through. 

"Kris Deugau [via SpamAssassin]"  
wrote:
>
>
>Owen Mehegan wrote:
>> Posted this to the wrong/no list (via Nabble) yesterday...
>> 
>> I've seen an uptick in false negatives lately, and the spam that is
>getting
>> through is all the same stuff repeatedly. If anyone would be  willing
>to run
>> these samples through their filters and let me know if  they get
>better
>> hits, I would appreciate it. There are three at 
>> http://nerdnetworks.org/spam/
>
>(spam4.txt is inaccessible)
>
>I notice URIBL_BLOCKED hits;  check that you're either using your own
>resolver with less than 100K messages/day, or that you're properly set
>up for datafeed.  Or just disable the uribl.com rules.  (We found that
>while they were usefully increasing our overall catch rate, the
>increase
>was not worth the cost of the datafeed [it came out to somewhere
>between
>one and five dollars a spam for the ones that the uribl.com hit was key
>in getting the message tagged], so we disabled the rules.)
>
>Beyond that  I've started creating very simple rules targeting the
>Subject and From: name in this type of spam, along with extracting the
>relay IP and URIs for local DNSBLs.  It's moderately effective once
>I've
>confirmed enough volume for any given Subject or name to feel it's
>worth
>creating a rule...
>
>-kgd
>
>
>
>
>___
>If you reply to this email, your message will be added to the
>discussion below:
>http://spamassassin.1065346.n5.nabble.com/Uptick-in-false-negatives-filter-check-tp107090p107092.html
>
>To unsubscribe from Uptick in false negatives - filter check?, visit
>http://spamassassin.1065346.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=107090&code=b3dlbkBuZXJkbmV0d29ya3Mub3JnfDEwNzA5MHwyMDgxOTQ3Njg5

-- 
Sent from Kaiten Mail. Please excuse my brevity.



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/Uptick-in-false-negatives-filter-check-tp107090p107096.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Rule to delete emails with empty subject.

2013-11-07 Thread Sergio 
Hi all,
I tried this rule to stop emails with an empty subject, but it didn't work:

header   SUBJECT_EMPTY SUBJECT =~ /^$/i
describe SUBJECT_EMPTY EMPTY SUBJECT
scoreSUBJECT_EMPTY 11

Any hint on what is wrong?

Best Regards to all,

Sergio

Re: one word spam (still trying...)

2013-11-07 Thread Karsten Bräckelmann 
On Thu, 2013-11-07 at 21:01 -0200, Marcio Humpris wrote:
> This didnt work for me also:
>  
>  /^\s{0,80}\S{1,20}\s{0,80}$/

That RE matches a complete line with a single "word" (anything but
whitespace) of up to 20 chars, and optional whitespace \s before and
after the word.

> Heres the original email I want to block:
> http://pastebin.com/download.php?i=0D7tfsjf

Despite your Subject, that sample has two words in the body.

You missed to post the actual SA rule. The above is just an RE. This is
important, because different rules are applied against different
versions of the message or body, which also impacts the exact definition
of beginning ^ and end $ assertions. And in the case of a body rule, the
Subject becomes the first paragraph.

Even more words? In total, yes, but not as far as the above RE is
concerned. In body rules, paragraphs are normalized to newline delimited
single line strings. Lacking magic like the /m modifier, the beginning
and end assertions are per-line -- not spanning the entire body. A
single one word paragraph in a large mail would match.


Given the sample, what you actually are after might be a "very short
body" rule. This was part of a recent thread:

  rawbody __RB_GT_200  /^.{201}/s
  meta__RB_LE_200  !__RB_GT_200

The (non-scoring sub-rule) __RB_LE_200 matches any mail with less than
or equal 200 chars in the textual body MIME-parts. To adjust the size
and lower it for your use-case, just replace any instance of 200 and 201
with your desired maximum size, and max size plus one respectively.

These rules are sub-rules intended to be used in a meta rule.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: one word spam (still trying...)

2013-11-07 Thread John Hardin 

On Thu, 7 Nov 2013, Marcio Humpris wrote:


Hi, John

This didnt work for me also:

/^\s{0,80}\S{1,20}\s{0,80}$/

can you kindly check it works here?

http://www.softlion.com/webTools/RegExpTest/default.aspx


The slashes at the ends should be removed if you're testing the RE with 
that tool. If I do that it works as expected there.



Heres the original email I want to block:

http://pastebin.com/download.php?i=0D7tfsjf


"Tudo bom?" is two words.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "They will be slaughtered as result of England's anti-gun laws
  that concentrates power to the Government."
-- Shifty Powers (101 abn) observing British
subjects training to repel a German invasion
using rakes, hoes and pitchforks
---
 4 days until Veterans Day

Re: Uptick in false negatives - filter check?

2013-11-07 Thread Kris Deugau 
Owen Mehegan wrote:
> Posted this to the wrong/no list (via Nabble) yesterday...
> 
> I've seen an uptick in false negatives lately, and the spam that is getting
> through is all the same stuff repeatedly. If anyone would be  willing to run
> these samples through their filters and let me know if  they get better
> hits, I would appreciate it. There are three at 
> http://nerdnetworks.org/spam/

(spam4.txt is inaccessible)

I notice URIBL_BLOCKED hits;  check that you're either using your own
resolver with less than 100K messages/day, or that you're properly set
up for datafeed.  Or just disable the uribl.com rules.  (We found that
while they were usefully increasing our overall catch rate, the increase
was not worth the cost of the datafeed [it came out to somewhere between
one and five dollars a spam for the ones that the uribl.com hit was key
in getting the message tagged], so we disabled the rules.)

Beyond that  I've started creating very simple rules targeting the
Subject and From: name in this type of spam, along with extracting the
relay IP and URIs for local DNSBLs.  It's moderately effective once I've
confirmed enough volume for any given Subject or name to feel it's worth
creating a rule...

-kgd

one word spam (still trying...)

2013-11-07 Thread Marcio Humpris 
Hi, John

This didnt work for me also:

 /^\s{0,80}\S{1,20}\s{0,80}$/

can you kindly check it works here?

http://www.softlion.com/webTools/RegExpTest/default.aspx

Heres the original email I want to block:

http://pastebin.com/download.php?i=0D7tfsjf

Thank you!

Uptick in false negatives - filter check?

2013-11-07 Thread Owen Mehegan 
Posted this to the wrong/no list (via Nabble) yesterday...

I've seen an uptick in false negatives lately, and the spam that is getting
through is all the same stuff repeatedly. If anyone would be  willing to run
these samples through their filters and let me know if  they get better
hits, I would appreciate it. There are three at 
http://nerdnetworks.org/spam/

I'm using SA 3.3.1, with Bayes, etc. I also have greylisting on my system
with a 15 minute delay, and surprisingly the first sample in this group now
hits a bunch of RBLs and scores >5, but apparently the 15 minute delay
wasn't enough time for that to help me. I've also been training my Bayes DB
on these types of messages for a few days, but they still keep getting
through. I used to hear that if your Bayes DB gets too big it can become
ineffective. I don't know if that's true or not, but here's my '--dump
magic' output:

0.000  0  3  0  non-token data: bayes db version
0.000  0  62157  0  non-token data: nspam
0.000  0 176680  0  non-token data: nham
0.000  0 144331  0  non-token data: ntokens
0.000  0 1383022790  0  non-token data: oldest atime
0.000  0 1383770853  0  non-token data: newest atime
0.000  0 1383766433  0  non-token data: last journal sync
atime
0.000  0 1383685115  0  non-token data: last expiry atime
0.000  0 662551  0  non-token data: last expire atime
delta
0.000  0  19902  0  non-token data: last expire
reduction count

Looking at my spamd log, out of 1300 messages classified as spam, 566 hit
BAYES_9* and 391 hit BAYES_5*.

Thanks in advance for any advice anyone can offer!




--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/Uptick-in-false-negatives-filter-check-tp107090.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: custom rules header check please

2013-11-07 Thread Benny Pedersen 

emailitis.com skrev den 2013-11-07 16:40:


header AEXP_ALL ALL =~ /aexp.com/i
header EXVM_ALL ALL =~ /exvm.com/i


why not blacklist_from ?

blacklist_from *@aexp.com
blacklist_from *@exvm.com

olso remember . needs excapeing \. in header

but not as blacklist_from :)

does your real name contain a . ? :=)

Re: custom rules header check please

2013-11-07 Thread Bowie Bailey 

On 11/7/2013 10:40 AM, emailitis.com wrote:


I am getting lots of Spam which shows on the maillog as:

Nov  7 10:50:39 plesk3 qmail-scanner-queue.pl: qmail-scanner[6974]: 
Clear:RC:0(217.92.121.114):SA:1(5.9/5.0): 9.209114 16127 
fr...@aexp.com 


Or

Nov  7 10:15:36 plesk3 spamdyke[26254]: ALLOWED from: 
administrator+98453-927...@dcbltd.exvm.com to: u...@domain.com 
origin_ip: 193.133.125.41 origin_rdns: mta18.evmailer.com auth: 
(unknown) encryption: (none) reason:


250_ok_1383819336_qp_26270

I want to write some custom rules that can capture part of this 
(because on the actual emails, the sender often purports to be from 
someone totally different).  Will the following work in my 
custom_rules.cf?:


header AEXP_ALL  ALL =~ /aexp\.com/i

score AEXP_ALL 4

header EXVM_ALL ALL =~ /exvm\.com/i

score AEXP_ALL 4



That will work, but you should watch for false positives.  I would 
suggest anchoring it a bit as a first step.


header AEXP_ALL  ALL =~ /\baexp\.com\b/i

This will catch any emails that have the string "aexp.com" anywhere in 
the header.  The "\b" represents a word boundary so that "u...@aexp.com" 
or "blah.aexp.com" will match, but "naexp.com" will not.


--
Bowie

custom rules header check please

2013-11-07 Thread emailitis.com 
I am getting lots of Spam which shows on the maillog as:

Nov  7 10:50:39 plesk3 qmail-scanner-queue.pl: qmail-scanner[6974]:
Clear:RC:0(217.92.121.114):SA:1(5.9/5.0): 9.209114 16127 fr...@aexp.com
 

Or

Nov  7 10:15:36 plesk3 spamdyke[26254]: ALLOWED from:
administrator+98453-927...@dcbltd.exvm.com to: u...@domain.com origin_ip:
193.133.125.41 origin_rdns: mta18.evmailer.com auth: (unknown) encryption:
(none) reason:

250_ok_1383819336_qp_26270

 

I want to write some custom rules that can capture part of this (because on
the actual emails, the sender often purports to be from someone totally
different).  Will the following work in my custom_rules.cf?:

 

header AEXP_ALL  ALL =~ /aexp\.com/i

score AEXP_ALL 4

 

header EXVM_ALL ALL =~ /exvm\.com/i

score AEXP_ALL 4

 

Grateful to the combined brains for advice

Kind regards, 

Christoph